Cloud4C
APF_Banner.png

Introduction

 

Vulnerability and Penetration Test is fast catching up with the global enterprises given the merits that come bundled with these two significant tests that will make the improve the security and seals the scope for vulnerabilities. Referred to as VAPT, it provides a holistic view of the threats that a given enterprise face. Flaws in encryption and authentication are of the reasons as to why VAPT should never be ignored. Recent surveys revealed that WPA2—a protocol that protects WiFi—could be easily compromised. Once the threats are discovered, it would be easy to fix them, which is possible only by an efcient VAPT provider like Cloud4C. Cloud4C Vulnerability Assessment and Penetration Test Service is designed to provide a comprehensive, Web-driven Vulnerability Assessment program that provides visibility into potential exposure areas within a distributed network environment

What is VA-PT?

Vulnerability assessment is a process of identifying and quantifying Vulnerability system. A vulnerability assessment is what most companies generally do, as the systems they are testing are live production systems and can’t afford to be disrupted by active exploits which might crash the system.

  • A form of stress testing, which exposes weaknesses and fiaws in a computer system.
  • Art of finding an open door
  • A valued assurance assessment tool
  • PT can be used to find fiaws in the Specification, Architecture, Implementation, Software, and Hardware.

VAPT Features

Cloud4C's Cutting Edge SIEM Offers Immediate Benefits include

  • CIS Compliance and Hardening assessment
    As an operating system can have hundreds of configuration setting, hardening and assessing each single image can be a tedious task. We help enterprises in enabling CIS hardening by preconfiguring them to meet the CIS compliances.
  • Network Penetration Testing Services (External) Black box
    This will help enterprises to examine the Security poster of applications, hosts, network from the Outside the organization, in short provide glass view weakness exposed to Internet.
  • Web-application Assessment services
    Helps in assessing the vulnerabilities and escalate the threats to the administrator to take necessary action or fix the issues.
  • Red Team Attack Stimulation
    Red team is a white-hat/ ethical hacker who attacks the organization with an consent and with an intention to check the efficiency of the defenses/security controls of the enterprise.
  • Network Vulnerability assessment (External & Internal)
    An approach that will analyze and ascertain the possible vulnerabilities in the network—both internal and external.
  • Network Penetration Testing Services (internal) White box
    This will help enterprises to examine the Security poster of applications, Hosts, Network from the inside the organization, in short provide glass view of weakness, vulnerability exposed to Insider or trusted employees.
  • Mobile Application Penetration Testing Services
    Helpful for providing military grade security to applications that are run on mobile phones and similar devices.

Testing Approach for Cloud4C

Black Box Testing
  • Tester need to acquire the Knowledge and Penetrate
  • Acquire knowledge using tools or Social Engineering techniques
  • Publicly available information may be given to the penetration tester
Benefits

Black box testing is intended to closely replicate the attack made by an outsider without any information of the system. This kind of testing will give an insight of the robustness of the security when under attack by script kiddies. It is also known as “Zero-Knowledge” testing

White Box Testing

White box testing is known as “Complete Knowledge” testing

  • Testers are givqen full information about the target system they are supposed to attack. Information
  • Include
  • Technology overviews
  • Data flow & Network diagrams
  • Code snippets & more
Benefits

Reveals more vulnerabilities and may be faster Compared to replicate an attack from a criminal hacker that knows the company infrastructure very well. This hacker may be an employee of the company itself, doing an internal attack.

Gray Box Testing

The tester simulates an inside Employee. The tester is given an account on the internal network and standard access to the network. This test assesses internal threats from employees within the Company The relative merits of all these approaches are debatable

In most cases it is preferable to assume a worst-case scenario and provide the testers with as much information as they require, assuming that any determined attacker would already have acquired this.

Methodology for VA-PT by Cloud4C

Scope/Goal Definition
  • Which attacker profile the tester will use
    • Hacker with no knowledge or knowledge about the target.
    • Internet user with access
  • Which System or network the test will be conducted
  • Duration of Test
Information Gathering
  • Information about the target
    • Who is: ARIN ; RIPE ; APNIC
    • Google: General Information; Financial, Phone Book, Google Hacking Databases; Web Searching
    • DNS Retrieval, SOA Record, MX Records, NS Records, A Records etc.
    • Tools / Websites: Cheops-ng, Sam Spade
    • Social Engineering
    • Dumpster Diving
    • Web Site Copy
Vulnerability Detection
  • Manual Detection
    • Manually probe the target host from common misconflguration or flaws because a vulnerability scanner can fail to identify certain vulnerabilities.
    • Open TCP Ports
    • Closed TCP Ports
    • Open UDP Ports
    • Closed UDP Ports
    • Service Probing
Information Analysis and Planning
  • Collocation the information gathered in previous stages
  • Preparation of high level attack planning
    • Overall Approach
    • Target Approach
Penetration & Privilege Escalation

HAS Two Sub Stages

  • Attack & Penetration
    • Known/available exploit selection – Tester acquires publicly available s/w for exploiting.
    • Exploit customization – Customize exploits s/w program to work as desired.
    • Exploit development – Develop own exploit if no exploit program available
    • Exploit testing – Exploit must be tested before formal Test to avoid damage.
    • Attack – Use of exploit to gain unauthorized access to target.
  • Privilege Escalation
    • What can be done with acquired access /Privilege
    • Alter
    • Damage
Result Analysis & Reporting
  • Organize data/related results for management reporting
    • Consolidation of information gathered
    • Analysis and Extraction of general conclusions.
    • Recommendations
Clean up
  • Cleaning up of all that has been done during testing
    • Any system alterations
    • Exploits

VAPT provides a Web-driven interface that allows Customers to schedule and launch either internal or external scans of assets within their individual environments

 

Benefits

Holistic view of the threats

Global presence in 35 countries

Cloud4C has certified cyber security professionals to fix the errors

Cloud4C has more than 3000 enterprise customers across the globe

Offer Single SLA up to the application login layer

40+ security controls

Dedicated SOCs in multiple locations

Cloud4C manages 45 banks